These are required to be this way for our Common Criteria evaluations.

Is the thought here that if the code can be executed by a non-root user,
the audit of the code would have to be far more strict? If you keep the
user from being able to execute, you don't have to worry as much about
how they might exploit it?

And do we seriously think we can keep the code away from a non-root user
by chmodd'ing the binaries? A user can get a binary for anything
fedora can install in about 30s w/firefox.